CVE-2026-28292

CriticalPublic PoC

Published: 10 March 2026

Published

10 March 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the…

host machine. Version 3.23.0 contains an updated fix for the vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of the command injection flaw in simple-git versions 3.15.0 through 3.32.2 by patching to version 3.23.0 or later.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Requires vulnerability scanning of software dependencies like the simple-git npm package to identify and address CVE-2026-28292 before exploitation.

SI-10 Information Input Validation partial match

prevent

Addresses the OS command injection (CWE-78) aspect by validating and sanitizing malicious inputs such as crafted Git repository URLs passed to simple-git.

Security SummaryAI

CVE-2026-28292 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the `simple-git` npm package, an interface for executing Git commands in Node.js applications. Versions 3.15.0 through 3.32.2 contain a flaw classified under CWE-78 (OS Command Injection) and CWE-178 (Improper Encoding or Escaping of Outputs), which enables attackers to bypass mitigations from prior vulnerabilities CVE-2022-25860 and CVE-2022-25912, resulting in full remote code execution on the host machine. The issue was published on 2026-03-10.

A remote attacker requires no privileges or user interaction and can exploit this over the network with low complexity. By crafting malicious input processed by `simple-git`, such as through Git repository URLs or commands, the attacker achieves arbitrary code execution on the host system, potentially leading to complete compromise including high confidentiality, integrity, and availability impacts.

The GitHub security advisory (GHSA-r275-fr43-pm7q) and related commit (f7042088aa2dac59e3c49a84d7a2f4b26048a257) detail the fix, with version 3.23.0 providing an updated patch. Security practitioners should upgrade to version 3.23.0 or later and review the CodeAnt.ai research for additional technical details on the bypass mechanism.

Details

CWE(s): CWE-78 CWE-178

Affected Products

simple-git project

simple-git

3.15.0 — 3.32.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated OS command injection vulnerability in Node.js simple-git library enables exploitation of public-facing applications (T1190) for arbitrary command execution via command and scripting interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257
Patch · security-advisories@github.com
https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q
security-advisories@github.com
https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292
Exploit, Third Party Advisory · security-advisories@github.com
https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292
134c704f-9b21-4f2e-91b3-4a467353bcc0